Vendor (Supplier) Risk Assessment _and_amp; SOX 1337
-
Hi, I am putting together a risk assessment framework for a uk bank and need to consider SOX.
Can anyone give me advice on does SOX have anything that relates to Vendors (Suppliers) and the risk they may introduce to the business.
Any thoughts welcome.
Thanks
-
Hi,
Generally, procurement risks are more prevalant and have more impact on ICOFR issues in a manufacturing concern than would be in a bank. However, the following are procurement issues related to SOX for any company:
Section 302
Addresses executive-level responsibilities for disclosure controls and procedures over material information included in public reports; effective financial and procurement processes, including authorization and spending controls, and management of outstanding purchase commitments and risks contribute to full disclosure.
Section 401
Addresses disclosure requirements in specific areas including off-balance-sheet transactions, pro forma disclosures and special purpose entities; relationships with third parties, including suppliers, may have reporting implications requiring consideration.
Section 404
Addresses responsibilities for internal control over financial reporting, including an annual assessment by management of the effectiveness of such controls with the external auditor attesting to that assessment; all key procurement and disbursement processes affecting financial reporting must be effectively controlled in a manner that is auditable.
Section 409
Addresses the requirement to disclose information on material changes in the company’s financial position and results of operations quickly on a ‘current and rapid’ basis; therefore, changes over time in procurement and expenditure processes and in the related risks should be evaluated in this context.
Section 802
Addresses record retention by external auditors; management may want to consult with counsel to ensure the organization’s retention practices are appropriate in light of the realities of today, including retention practices affecting the entity’s procurement and disbursement processes.
Section 906
Addresses senior executives responsibilities for certifying accuracy of the financial condition of the company’s reports; as with Section 302, effective procurement and disbursement processes and controls must be in place to provide reliable information.
Some Business Process Risks:
FINANCIAL
Price, Currency, Commodity, Equity, Interest Rate, Financial Instrument, Liquidity, Concentration, Opportunity Cost, Cash Flow, Credit, Default, Concentration, Settlement, and Collateral
Particularly conoentrated in the following for procurement activities:
INFORMATION
PROCESSING/
TECHNOLOGY
Relevance, Integrity, Access, Availability and Infrastructure
INTEGRITY
Employee/Third Party Fraud, Reputation, Management Fraud, Illegal Acts, and Unauthorized Use
Some other areas for consideration:
Controllable risks might include:
Financial/total cost/price (including sourcing)
Product/service outsourcing
Global sourcing (services and products)
Regulatory
Legal and contract-related
Planning, forecasting and alignment
(demand/supply imbalance)
Supply interruption
Supplier qualification
Customer service and satisfaction
Inventory/obsolescence
Human resource (skills, qualifications,
competencies, organization, culture)
Information for decision-making (management,
measurement, and control information)
Efficiency
Compliance
Technology/systems
Hope this helps,
Milan
-
With signficant reliance on IT systems and integration of multiple IT suppliers, some IT areas for concern related to suppliers/vendors:
- Manage your Technology Vendors and their Inherent Risks
- Implementing Controls to Reduce Vendor Risk
- Practice Due Diligence when Selecting Vendors
Managing Technology Vendors
Management should develop a vendor risk assessment to monitor service provider performance and potential changes in institution requirements throughout the life of the contract.
Monitoring should include:
Key service level agreements (SLAs) and contract provisions;
Financial condition of the service provider;
General control environment of the service provider through the receipt and review of audit reports and other internal control reviews; and
Potential changes due to the external environment.
How to Perform a Vendor Risk Assessment
Inventory all technology vendors
To identify vendors to be measured for risk
Measure and Assign an Aggregate Risk score to each vendor
Quantity of Risk - risk inherent in using the vendor vs.
Quality of Risk Management and Control - risk management and control initiatives
Develop the program for periodic review vendor controls
Assess Quantity of Risk
Data Confidentiality
Earnings Exposure
Capacity
Availability
Logical or Physical Access
Stability
Outsourcing
Regulatory Risk
Assess Quality of Risk
Management
Contracts
Service Level Agreements
Financial Condition
Vendor Assurance Reports
Vendor Contracts
Key contract components include:
Ownership of Intellectual Property
Duration
Dispute Resolution
Indemnification
Limitation of Liability
Termination
Third Party Assignment
Scope of Service
Performance Standards
Security and Confidentiality
Operational Controls
Reporting
Business
Resumption
Costs
Service Level Agreements (SLA)
An SLA should be included to specify and clarify performance expectations and establish accountability
An SLA should formalize the performance criteria against which the quantity and quality of service should be measured
Management should closely monitor the service provider’s compliance with the SLA
Financial Condition of Technology Vendors
Annually review the financial viability of your vendors
Utilize the vendors’ annual financial
statement and independent auditor reports
Closely monitor declining vendors
Vendor Reports
AICPA Reports
SAS No 70 reports on the processing of transactions by service organizations
SysTrust assurance on any defined electronic system Certification
Certifications based on private, proprietary information created by the preparer
Vendor Certifications
TruSecure
VeriSign
To close:
Institutions are increasingly dependant on technology developed and managed by third parties
Institutions must understand and manage the risks and controls associated with vendors who help deliver the technology solutions designed to support business operations
Contracts are written to address current needs when at a point in time
Over time an institution’s needs may change based on regulatory, economic, or other factors
Institutions need to monitor for changes and update its contracts accordingly